The Joel on Software Discussion Group (CLOSED)

A place to discuss Joel on Software. Now closed.

This community works best when people use their real names. Please register for a free account.

Other Groups:
Joel on Software
Business of Software
Design of Software (CLOSED)
.NET Questions (CLOSED)
TechInterview.org
CityDesk
FogBugz
Fog Creek Copilot


The Old Forum


Your hosts:
Albert D. Kallal
Li-Fan Chen
Stephen Jones

Using 'crypt' encryption

I am considering using 'crypt' encryption for passwords on a web based applications.

When matching passwords, does 'crypt' only look at the first 8 characters of the password?
mockConnections
Tuesday, May 22, 2007
 
 
Use MD5 instead, easier, safer and you don't have to worry about how long the input is.
Martin Send private email
Tuesday, May 22, 2007
 
 
+1 for using MD5
TravisO Send private email
Tuesday, May 22, 2007
 
 
There are known weaknesses in MD5.  Why not use SHA-512 instead?
Jeff Zanooda Send private email
Tuesday, May 22, 2007
 
 
And yes, I believe 'crypt' really does only look at the first 8 letters of the password.
AllanL5
Tuesday, May 22, 2007
 
 
md5 is just a step above base64 for passwords:

http://md5encryption.com/?mod=decrypt

Ultimately, crypt depends on the os implementation, so you'll need to read the docs specific to your os (man crypt).  If your crypt can do blowfish encryption, that'll store more than 8 characters, but once again, you'll have to look at the os docs.
Grant Send private email
Tuesday, May 22, 2007
 
 
If you have access to a SHA512 algorithm, then I'm with Jeff. If you don't then SHA1 will do and if you don't have access to this either, then try md5.

SHA1 has weaknesses too, but not as severe as md5 and md5 isn't actually totally insecure yet.

For a more thorough analysis of the subject:
http://www.jasypt.org/howtoencryptuserpasswords.html
Peter Monsson Send private email
Tuesday, May 22, 2007
 
 
Please, please, please, do some research on password encryption before implementing this.

The first thing you, or I for that matter, think of is likely to be very wrong.
dot for this one
Tuesday, May 22, 2007
 
 
http://md5encryption.com/?mod=decrypt is fake. It simply stores what you have put in before together with the MD5 and SHA1 digests. When "decrypting" it just looks up the hash in the database again.
Peter Monsson Send private email
Tuesday, May 22, 2007
 
 
And a hacker can't do that how?
Grant Send private email
Tuesday, May 22, 2007
 
 
[Hint, it's called a dictionary attack]
Grant Send private email
Tuesday, May 22, 2007
 
 
The only thing MD5 is known to be insecure for at present is digital signing of files where the original file is controlled by the malicious person.  They could generate two files with the same MD5 hash, and then they'd be able to change the file without you noticing.  This is serious stuff with dire implications, but they don't really affect password hashing.

(Hint, dictionary attacks are trivially foiled by salting.  Or by making your users pick secure passwords in the first place.)
Iago
Tuesday, May 22, 2007
 
 
Sorry, that "hint" part made me sound like a prick.

There's nothing inherently insecure with md5, but it was designed to run in 1991. how fast were even server-grade machines back then?  Even doing a dictionary attack with hashes isn't inconceivable these days.

http://www.google.com/search?hl=en&q=md5+crack&btnG=Search
Grant Send private email
Tuesday, May 22, 2007
 
 
>> http://md5encryption.com/?mod=decrypt

Peter - The website is not a fake. It is creating what is called a "Rainbow table".
pmuhC
Tuesday, May 22, 2007
 
 
Grant - pretty much any one-way hash function is open to a dictionary attack so this isn't a weakness in MD5 specifically.

If you're worried about dictionary attacks, there's a simple solution - generate a different, random salt for each password you hash. Store both the salt, and the hash of the password together with that salt.
Matt Send private email
Tuesday, May 22, 2007
 
 
For the truly paranoid - use real entropy if you can for that random salt - as you never know when some crypto geek will discover an attack on the hash function dependent on algebraic properties of a weak random number generator used for salts.
Matt Send private email
Tuesday, May 22, 2007
 
 
Where should i put the salt? How many teaspoons?
CARMACK Send private email
Tuesday, May 22, 2007
 
 
I agree with you all that rainbow tables and dictionary attacks are very real, and that one should try to guard against them as much as possible. But to imply that md5 has about the same security as base64 encoding is quite a stretch in my opinion. md5 is still a trap-door function and there is not yet an algorithm which is able to decrypt an md5 hash in trivial complexity just as there is an algorithm for decoding base64. Maybe I just misinterpreted your message, Grant.
Peter Monsson Send private email
Wednesday, May 23, 2007
 
 
Spreading FUD about MD5 is a form of hacker "social engineering" with the aim of goading people toward transmitting and storing plain text.

As others have pointed out, there are some real issues.  But the comparison to base64 encoding speaks volumes.
Codger
Wednesday, May 23, 2007
 
 
+1 for A salted SHA512 hash.
Arethuza
Wednesday, May 23, 2007
 
 
+1 for something that was said above:

When it comes to security, don't try and figure it out yourself. Go and do some research and find a well documented approach. It it way, way too easy to make mistakes when you do it yourself. Security is complicated, but luckily, all of the common tasks have been well documented already.

I hope I don't sound like a know it all. I'm actually talking from hard earned experience of screwing up several times myself when I tried to figure out the right way to do security all by myself. This led me to the rule: as soon as I start writing the security part of a system, I stop and do enough research to find the "standard" solution and implement that.

That link posed above by Peter Monsson looks like a good one for information about storing passwords.
Bill Tomlinson Send private email
Wednesday, May 23, 2007
 
 
md5encryption.com is a fraud.  It's storing your input along with the hash and then just returning your input when you enter the hash back in.  This somewhat simulates a pre-hashed dictionary attack but the fraudulant step is that they're putting your input in their database.  It only works if they already have your unhashed data. 

Here's a list of steps that demonstrates this nicely:

1) Generate some random data (I grabbed a GUID from http://www.guidgen.com ).
2) Use an independent MD5 generator to generate a hash (I used http://www.md5encrypter.com since Google suggested it).
3) Plug the MD5 from step #2 into md5encryption.com's decryptor.  It fails.
4) Plug the GUID from step #1 into md5encryption.com encryptor.  Note that the MD5 result matches the one from step #2.
5) Repeat step #3.  Notice how md5encryption.com is suddenly able to "decrypt". 

If you don't understand why what md5encryption.com is doing is not a real attack against MD5, you probably shouldn't be allowed near any code related to security.  This form of attack would work against any hashing algorithm.  This is why the concepts of salting and iterations exist.

Wednesday, May 23, 2007
 
 
"md5encryption.com is a fraud."

A fraud? Maybe I have another definition of fraud, but on the page I read: "Or enter a MD5 hash or SHA1 hash and we will look into our database and try to decrypt MD5 or decrypt SHA1."

"but the fraudulant step is that they're putting your input in their database"

They don't claim that their database is read-only.

We could argue that the terms "encrypt" and "decrypt" are a bit misleading for a hash function, of course.
Secure
Thursday, May 24, 2007
 
 
Do you understand what they're doing?  They're taking your input, saving it along with the MD5, then spitting out your input when you enter the MD5.  They only know the "decrypted" input because you've already given it to them and they saved it.  As far as I can tell from the little bit of text on the page, at no point do they mention that they're doing this. 

If they don't want to be deceitful, they could just put up a one or two sentence explanation.  Then hopefully you won't get people who play around with this site and suddenly think MD5 is reversible and not much better than base-64.
SomeBody Send private email
Thursday, May 24, 2007
 
 
They say that they use a database. Surprise, surprise, a webserver cannot only deliver data, no, it can receive and store it, too, e.g. in a database. Sorry, but I really don't understand your problem with this.

The very same people thinking that MD5 is no better than BASE64 will soon discover that a hash function reduces the number of bits, so by the laws of maths there MUST be collisions for multiple messages, thus by definition even a cryptographic hash can't be used to uniquely identify a block of data, because you must always compare the data itself for the collisions, and all the master cryptographers in the world really must be bullshit stupid for missing this obvious property.

Completely ignoring or without understanding probability and exponential growth, of course.

You will always have this effect when someone does not know the matter too deep (unhealthy smattering) and then stumbling across anything that does not explain in 101 detail level what it does. Some of them will learn when the facts are told to them, and others will begin to design their own crypto algorithms, because when even the masters are that stupid, then anybody can do this.
Secure
Friday, May 25, 2007
 
 
"Sorry, but I really don't understand your problem with this."

The problem is that they say they can "decrypt" MD5 hashes. That is totally false and misleading and is just a lot of unnecessary FUD.
DJ Send private email
Friday, May 25, 2007
 
 
"The problem is that they say they can "decrypt" MD5 hashes."

No, they don't say this. They say that they try to decrypt it using a database lookup. The wording may be a bit unfortunate, but it is definitely not fraud, fake or FUD.
Secure
Friday, May 25, 2007
 
 
The point is that they don't mention that they are storing your input in their database.  If they feel the need to mention that they're using their database to "decrypt", why would they omit that they're using your "encrypt" input to populate that same database?  Omitting that information makes it appear that they're doing something they're not doing to someone who doesn't technically understand (see the posts in this thread as an example). 

The page has ads all over it and a web site that can magically "decrypt" MD5 will attract a lot more viewers than one that just spits out the input you give it.  Not to mention that this is a great way to populate their database with real world passwords from naive individuals who might think this is a good way to test the strength of their passwords to "decryption".
SomeBody Send private email
Friday, May 25, 2007
 
 
Okay, one last time, I get tired of this. You mention two interesting points. Let me stretch your logic a bit further.

"The point is that they don't mention that they are storing your input in their database."

My TV manual doesn't mention that the program is transmitted with the help of modularized electromagnetic waves. Thus if anyone reading this manual comes to the conclusion that the pictures are transfered by fairies directly hypnotizing the TV program into the brain of the viewer, then the TV manual is fraud and FUD?

My point is: Do you really expect any single website out there on the internet to be in 101 detail level, so that anyone, even those completely lacking any basic knowledge about the topic, will exactly understand what is going on? Then I have bad news for you: No matter how much information you give, there will always be someone drawing wrong conclusions from it.

"Not to mention that this is a great way to populate their database with real world passwords from naive individuals who might think this is a good way to test the strength of their passwords to "decryption"."

Just as Google is a great way to collect these passwords from naive individuals trying to find out about the security of their password - when there are no search results then it is a good password, because it is not used by anyone else.
Secure
Saturday, May 26, 2007
 
 
The web site is simply demonstrating that MD5 is susceptible to "known ciphertext attacks", as is every hash algoritm.  If you've seen the same hash before, you might be able to infer the plaintext as there are likely only a handful of small plaintexts that have the same hash.  In a password scenario, it is likely that only one password using a reasonable character set of a reasonable length has that hash.  Also, in a password scenario, if there happens to be two passwords that hash to the same value, both will work to log you in!!  You don't need to worry if you got the right one.

This is a very common cracking technique used in the real world.  A common defence is to salt the plain text before hashing.
JSmith Send private email
Saturday, May 26, 2007
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz